Cyber Incident Victim: Novartis AG
Date:
Feb 2022
Location:
Switzerland
Summary
A cyberattack targeting Novartis by the Industrial Spy data-extortion gang involved the attempted sale of allegedly stolen data related to RNA and DNA-based drug technology, claimed to be taken from a laboratory environment. The threat actors listed 7.7 MB of timestamped PDF files on their marketplace, though the company confirmed no sensitive data was compromised and emphasized adherence to data privacy standards through implemented security measures. While the hacking group is known to deploy ransomware in other incidents, no encryption occurred here, and the full scope of potentially accessed data remains unclear.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 25, 2022, the Industrial Spy cybercrime group infiltrated systems belonging to pharmaceutical corporation Novartis. The attackers exfiltrated data which they later listed for sale on their Tor-based extortion marketplace on June 2, 2022. Industrial Spy advertised 7.7 MB of PDF files purportedly containing RNA and DNA-based drug technology information and test data allegedly stolen from a Novartis laboratory environment. The files bore a timestamp matching the February intrusion date. The threat actors priced the dataset at $500,000 in bitcoin, claiming the materials originated directly from manufacturing plant laboratory systems. Industrial Spy maintained an operational pattern of combining data theft with ransomware deployment in other incidents, though no encryption activity was reported in this case.
Novartis publicly acknowledged the incident on June 3, 2022, confirming completion of an internal investigation that determined no sensitive data was compromised. The company issued a statement emphasizing its adherence to data privacy standards and implementation of unspecified industry-standard security measures in response to such threats. Novartis declined to disclose technical details regarding the breach timeline, initial intrusion vectors, or full scope of accessed systems. The limited data volume (7.7MB) offered for sale left uncertainty about whether attackers extracted additional materials not yet leaked. Industrial Spy's marketplace listing remained active following Novartis' disclosure, maintaining availability of the allegedly stolen files for purchase through cryptocurrency transactions.